Compiling Method for Command Based Router Classifiers

ABSTRACT

A method and compiler for compiling hierarchical command based policy rules to a flat filter list structure adapted for storage in a Content Addressable Memory (CAM), wherein the policy rules are organized in a tree-structure of classifiers. First, all of the possible search paths in the tree structure are found, and then only the valid search paths according to defined criteria are added to the flat filter list. The CAM may be a Ternary Content Addressed Memory.

TECHNICAL FIELD

The present invention relates to IP classification in routers.

The present invention relates to a method for compiling command basedrouter classifiers to an equivalent flat structure that is suitable forstoring in Ternary CAM (Content Addressable Memory) for fast look-up.

BACKGROUND OF THE INVENTION

Internet Protocol (IP) classification is performed in routers. This isthe process of classifying IP packets into categories that requirespecial treatment. A subset of IP classification is IP filtering. IPfiltering is a security feature that restricts IP traffic by permittingor denying packets by applying certain rules. This way, users can berestricted to specific domains or applications on the Internet. Toperform classification, IP headers of packets that reach a router needto be compared to patterns stored in a table, generating an output thatclassifies the packet. Usually, this table is stored in memory andmatching is done in software.

The functionality of filtering and classifying packets treated here iscalled Multi-field (MF) classification, since it acts on severalindependent fields in the packet headers, and is used both forDifferentiated Services (DiffServ) policy enforcement and security(firewall) filtering.

The IP header fields on which packets can be classified by the filtersare:

-   -   IP Source Address;    -   IP destination Address;    -   IP version—IPv4 or IPv6 or both;    -   Protocol—next header protocol (layer 4);    -   DSCP—DS code point (former TOS field);    -   Source Port—with limited range possibility;    -   ICMP Type;    -   TCP Session Established.

The command based router classifiers is structured in a tree-likehierarchy with a policy map consisting of class maps, access controllists and filters with their match outcomes, actions and match patterns.

Said structures are built in a hierarchy of the components Filters, ACLs(access control lists, or just access lists), CMAPs (class maps) andPMAPs (policy maps). These components will now be described one by onein more detail with reference to FIG. 1:

Filter—this component cannot be specified alone, but only as part of anincluding ACL. Each filter consists of a match field and a result. Thematch field is a bit-pattern, wherein “don't care” is allowed, to testfor match against defined header fields of packets to be classified. Theresult is an indication of whether or not a packet matching the matchfield is considered to belong to the ACL as a whole. Conventionally theresult is called either “permit”, meaning “belongs to ACL”, or “deny”,meaning “does not belong to ACL”. (These conventional terms come fromthe original restricted use of ACLs, which was only to determine accessthrough a firewall.) For the extended use of ACLs employed now, it issuggested using “+” and “−” instead of permit and deny.

ACL—Access Control List, or just access list, is an ordered list ofFilters to be tried for match against packets to be classified, startingat the head of the list, and progressing through until some filtermatches, or until the end of the list is reached. If the end of the listis reached without any filter matching, it is deemed that the packetdoes not match the ACL, which could be considered as an implicit filterat the tail of the ACL having bits “don't care” in the match field and“deny” as the result. Each ACL is defined by a management operation andis given a name to use as reference. Filters can be added and removedfrom existing ACLs. Note that the order of the filters in an ACL issignificant, so the position, priority, of added filters can bespecified. ACLs can be used in two ways: as a member of a CMAP (seebelow) or tied directly to an interface as a firewall filter.

CMAP—Class Map is a set (order not significant) of specified (by name,e.g. reference number) ACLs and match operator, also denoted match mode,which is either match-any or match-all. A packet being classified isconsidered to belong to a class defined by a CMAP either if it matchesany of the ACLs in a CMAP having the match-any attribute or, if, andonly if, it matches all the ACLs in a CMAP having the match-allattribute. CMAPs are defined by management operations and given areference name. Existing CMAPs can also be modified. The only use of aCMAP is by membership in a PMAP.

PMAP—Policy Map is an ordered set of CMAPs to which each CMAP isassociated with an action. A PMAP can be tied to an interface, and thenall packets passing the interface will be tested against the PMAP,starting with the first CMAP and continuing until the packet is found tobelong to a CMAP or until all CMAPs have been exhausted. When the packetis found to belong to a CMAP, the associated action is performed. Thepossible actions are:

-   -   FORWARD—which means “forward the packet”;    -   DROP—drop the packet;    -   REMARK DSCP n—rewrite the DSCP (DS code point) field of the        packet to a specified new value.

The default action is FORWARD.

Note: When a packet matches a filter having result permit, thus causingthe packet to belong to the class defined by a CMAP including this ACL,and in which the CMAP is included in a PMAP with action DROP. The packetis thus dropped due to matching a filter with permit.

Each interface can be tied to at most one PMAP and one firewall ACL(otherwise would not make sense). Inbound and outbound interfaces aretreated separately.

Since ACLs are referred to by name, the same ACL can be used in severalroles (as member of multiple CMAPs and/or as firewall ACL for variousinterfaces). Likewise, the same CMAP can be used in multiple PMAPs, andthe same PMAP can be tied to various interfaces.

If an interface is tied both to a firewall ACL and to a PMAP, thefirewall ACL (ACL_(FW)) is traversed first, and only if a packet ispermitted for access is it tested against the PMAP. Interfaces which isnot connected to a firewall ACL are implicitly permitted for access.

Due to increasing performance requirements and larger and wider searchsets, software-based search algorithms become too slow and alternativeimplementations need to be considered. One such alternative is to use aContent Addressable Memory (CAM).

A Content Addressable Memory, CAM, is a memory device that has becomeincreasingly valuable during the recent years in some applications. ACAM can perform fast storing and search operations. The CAM provides aperformance advantage over memory search algorithms such as binary andtree based searches or look-aside tag buffers by comparing the desiredinformation against the entire list of pre-stored data simultaneouslyoften resulting in an order-of-magnitude reduction of search time. Onceinformation is stored in a CAM location, it is found by comparing everybit in the CAM with the bits of the data in a search expression. Ifthere is a match for every bit in a location with every correspondingbit in the search expression, an output is obtained from the CAM, whichis an association value or address pointing to associated information.The associated information may be stored in a conventional memory devicesuch as a RAM. Depending on the application, the RAM can containinformation or instructions or operations or the like to be displayed orperformed when there is a match between the search expression and theinformation stored in the CAM. Thus, with a CAM, the data is suppliedand the address is obtained.

Because the CAM doesn't need address lines to find data, the depth of amemory system using CAMs can be extended as far as desired, but thewidth is limited by the size of the chip. For example, a chip can be 64to 128 bits wide, but 32768 entries deep. It is fairly easy to extendthe depth of the CAM, because the addressing is all self-contained.

Some CAMs are so called ternary CAMs in which the stored data cancontain bit values of 0, 1 or X, where X is interpreted as “don't care”,i.e. the value matches both 0 and 1.

The function and advantages of the CAM memory makes it very suitable forapplications and operations such as LANs, data base management, filestorage management, look-up to pattern recognition, and the like, and isparticularly suited to performing search operations. To classify apacket, the look-up performance will depend on the search algorithm, andthe look-up time is not deterministic using software solutions. Hardwareaccelerated solutions, such as Ternary Content Addressable Memory(TCAM), will increase the search performance by orders-of-magnitude asthe look-up in TCAM entries can be performed with a single operation,typically at one clock cycle. In recent years, TCAMs are becomingfaster, bigger and cheaper, and they provide an excellent solution fordoing very fast look-ups with deterministic look-up time.

A method in which CAMs of less width are used to store “expressions” inCAMs and to match expressions with the contents of CAMs, where the widthof the expressions is larger than the width of the CAMs used, is earlierknown from the international patent application WO 02/082458.

From the U.S. Pat. No. 6,484,170 techniques for generating searchabledata entries in a CAM, such as binary or ternary CAMs, are earlierknown. In said document, a method of classifying data networking packetsand a packet classifier based on subfields of a packet header are alsodescribed.

Packet classification by using TCAMs is earlier known and treated in adocument “Efficient Mapping of Range Classifier into Ternary-CAM” byHuan Liu, published on the internet by Department of ElectricalEngineering, Stanford University, CA 94305.

In practice, complications arise because the desired classificationrules to be enforced on the traffic flow, as defined by a networkmanager, consist of a tree-like structure in which it is required tolook for more than one possible match against each packet in the flow.Such a structure is straightforward and easy to follow manually, or by aprocedural program, but not by a linear CAM array which terminatessearch at the first matching entry. However, CAMs, such as TCAMs, canonly store flat structures and a tree-like hierarchy cannot be stored init directly. To get a table of CAM entries to provide a behaviourcorresponding to that of the tree-like structure, the filter rules mustbe “flattened” to a linear array, taking advantage of the CAM's ternarycapability (“don't care” match at required bit positions). Theimplementation of the “flattening” of the filter tree is called the“Filter Compiler”. Therefore, an algorithm is needed for compiling thecommand based router classifiers with a tree-like hierarchy to anequivalent flat CAM friendly structure.

BRIEF DESCRIPTION OF THE INVENTION

One of the objects with the present invention is to provide an algorithmfor compiling the command based router classifiers with a tree-likehierarchy to an equivalent flat CAM friendly structure.

Therefore, the present invention solves the problem to compile commandbased policy rules to a format, such as a flat filter list structure,adapted for storage in a Ternary Content Addressable Memory (TCAM), by amethod that involves steps of finding all the possible search paths inthe tree structure and steps of only adding the valid search pathsaccording to defined criteria to the flat filter list.

The present invention is defined according to the independent claim 1.Different embodiments of the invention is defined by the independentclaims 2-9.

A computer program product according to the invention is definedaccording to the independent claim 10.

An advantage with the present invention is that it provides acomputerized method to compile the command based router classifiers witha tree-like hierarchy to an equivalent flat CAM friendly structure. Thiswill save a lot of time and money as the work to transform filter rulesfrom tree-structure to flat structure does not have to be performedmanually. This is especially interesting when converting old filter rulesystems to TCAM solutions.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will now be described in more detail withreference to following drawings:

FIG. 1 is a diagram schematically showing a tree-like filter structureand a flat filter structure.

FIG. 2 is a block diagram illustrating an application of the presentinvention.

FIG. 3 is a block diagram illustrating TCAM application for IP addresslook-up.

FIG. 4 is an illustration of a filter rule represented as TCAM entry.

FIG. 5 is a flow-chart illustrating a first embodiment of the presentinvented method.

DETAILED DESCRIPTION OF THE INVENTION

The functionality of filtering and classifying packets treated here iscalled Multi-field (MF) classification, since it acts on severalindependent fields in the packet headers, and is used both forDifferentiated Services (DiffServ) policy enforcement and security(firewall) filtering.

FIG. 2 is a block diagram illustrating an application of the presentinvention. The present invention is illustrated as a filter compilerthat is used to transform a database of classifiers in a DifferentiatedServices (DiffServ) application. When defining a policy for IP trafficin DiffServ, filter are used. Said filter, or rather filter rules, isorganized in a tree-like structure of classifiers such as Access controllists, Class Maps and Policy Maps. To speed up the seeking process forfilter match, a Content Addressable Memory (CAM) can be used to storethe filter entries. As CAM has a flat structure and it searches all theentries at the same time, it is not suitable to store a tree-likestructure in a CAM. Thus it is necessary to have a filter compiler totransform the tree-like filter structure to a flat database.

FIG. 3 is a block diagram illustrating TCAM application for IP addresslook-up.

The use of TCAM memory for classification is straight-forward. Eachentry in the TCAM consists of a vector of three-valued bitscorresponding to certain fields in the header of an IP packet, thereforethe name “ternary CAM” can be used. The value of each three-valued bitposition can be 0, 1, or x, where x means “don't care”. A search in theCAM is performed by the hardware HW against a packet by applying theheader fields of the packet (a vector of only 0's and 1's) to the CAM'sinternal logic. The CAM then, using fast parallel logic, finds the first“matching” entry (priority arbitration) and outputs its address(reference number 2 in the figure). This address is then used to accessa normal associated SRAM memory, from which a pre-stored output isfetched “Next Hop 3”, which affects the further handling of the packet.

The combination of the match pattern in the CAM and the output value inthe associated SRAM address is referred to as a “CAM entry”.

Thus setting up filtering and classification in the hardware consists ofinserting into certain CAM positions a pattern which will match asought-after packet, and writing the corresponding output-SRAM positionan instruction to the HW guiding treatment of the packet. To achieve“wire speed” processing of IP packets arriving on high-speed links. Theactual treatment of individual IP packets is therefore performed inhardware. Software is used to configure and control the hardware so thatit can do its job efficiently, and correctly according to the intentionsof the network manager, which through e.g. a command line interface to arouter can apply various filtering and packet-treatment policies.

FIG. 4 is an illustration of an example of a filter rule represented asTCAM entry. A filter rule is an ordered pair (F,X) where F is filter andX is the match outcome, e.g. action taken when the filter matches anincoming packet. The filter consists of one or more bit fields—in thiscase 5 tuples—each field corresponding to a header field an incomingpacket, and an associated value. The difference in filter representationbetween a binary CAM and ternary CAM is also illustrated. The TCAM isable to use the “don't care” value (x or *) in the bit positions. The IPheader fields on which packets can be classified by the filters are:

-   -   IP Source Address (don't care field allowed in least significant        bits);    -   IP destination Address (don't care field allowed in least        significant bits);    -   IP version—IPv4 or IPv6 or both (both allowed only if source and        destination addresses are completely don't care);    -   Protocol—next header protocol (layer 4);    -   DSCP—DS code point (former TOS field);    -   Source Port—with limited range possibility;    -   ICMP Type;    -   TCP Session Established (based on RST and ACK bits in TCP        header).

The present invention is a method for transforming tree-like organizedclassifiers to “flat filter” structure. The invention is implemented incomputer software programming for computers and data processing. Thedifferent steps of the invention is possible to code into computersoftware instructions in different computer program languages andcoding. As mathematical theory often is very useful for describingmethods and for guiding computer software programming, the inventedmethod will be described hereafter by using the theory of sets.

First some basic terms has to be defined in accordance to the theory ofsets.

-   -   Sequences, n-tuples and ordered pairs.    -   A sequence is an ordered set of elements,

${S = {\left( {s_{1},s_{2},\ldots \mspace{14mu},s_{n}} \right) = \left( {\sum\limits_{i = 1}^{n}{< s_{i} >}} \right)}},$

-   -   where < > is used here to give the sum operator, Σ, another        meaning, i.e. inserting/adding a new element at position i.        Similarly, we use the operator “+” also with a new meaning, so        that

$\quad\begin{matrix}{{\left( {\sum\limits_{i = 1}^{m}{< s_{1,i} >}} \right) + \left( {\sum\limits_{j = 1}^{n}{< s_{2,j} >}} \right)} = \left( {s_{1,1},s_{1,2},\ldots \mspace{14mu},s_{1,m},s_{2,1},s_{2,2},\ldots \mspace{14mu},s_{2,n}} \right)} \\{= \left( {s_{1},s_{2},\ldots \mspace{14mu},s_{m + n}} \right)} \\{= \left( {\sum\limits_{i = 1}^{m + n}{< s_{i} >}} \right)}\end{matrix}$

Notice that a sequence differs from a set in that the order of theelement in a sequence is of importance (and duplicated elements are notredundant), while in a set,

${A = {\left\{ {a_{1},a_{2},\ldots \mspace{14mu},a_{n}} \right\} = {\sum\limits_{i = 1}^{n}\left\{ a_{i} \right\}}}},$

the order is of no importance, and duplicated elements are redundant andthus can be removed.

A sequence with n elements is also called an n-tuple. A 2-tuple is alsocalled an ordered pair, S=(s₁, s₂).

Operations such as union and intersection can be applied to twosequences, X₁ and Y₂, with the same size, n elements:

$\begin{matrix}{{X_{1}\bigcup Y_{1}} = {\left( {x_{1},x_{2},\ldots \mspace{14mu},x_{n}} \right)\bigcup\left( {y_{1},y_{2},\ldots \mspace{14mu},y_{n}} \right)}} \\{= {\left( {\sum\limits_{i = 1}^{n}{< x_{i} >}} \right)\bigcup\left( {\sum\limits_{i = 1}^{n}{< y_{i} >}} \right)}} \\{= \left( {{x_{1}\bigcup y_{1}},{x_{2}\bigcup y_{2}},\ldots \mspace{14mu},{x_{n}\bigcup y_{n}}} \right)} \\{= \left( {\sum\limits_{i = 1}^{n}{< {x_{i}\bigcup y_{i}} >}} \right)}\end{matrix}$ and $\begin{matrix}{{X_{1}\bigcap Y_{1}} = {\left( {x_{1},x_{2},\ldots \mspace{14mu},x_{n}} \right)\bigcap\left( {y_{1},y_{2},\ldots \mspace{14mu},y_{n}} \right)}} \\{= {\left( {\sum\limits_{i = 1}^{n}{< x_{i} >}} \right)\bigcap\left( {\sum\limits_{i = 1}^{n}{< y_{i} >}} \right)}} \\{= \left( {{x_{1}\bigcap y_{1}},{x_{2}\bigcap y_{2}},\ldots \mspace{14mu},{x_{n}\bigcap y_{n}}} \right)} \\{= \left( {\sum\limits_{i = 1}^{n}{< {x_{i}\bigcap y_{i}} >}} \right)}\end{matrix}$

-   -   Packet and ternary packet filter.    -   A packet is a sequence with n elements (n-tuple), P=(p₁, p₂, . .        . , p_(n)), where 1, 2, . . . , n are the bit position in the        packet; pε{0,1}.    -   A ternary packet filter is a sequence with the same number of        the elements as in a packet, F=(f₁, f₂, . . . , f_(n)), where 1,        2, . . . , n matches the bit positions in a packet; fε{0,1,*,Ø},        where * is the don't care bit (i.e. wildcard), and Ø is null        (see FIG. 4).    -   If there exist one or more elements in F with value Ø, then        F=F_(Ø), which is called a null filter. No packet will match a        null filter.    -   A packet matches a filter if P∩F≠F_(Ø).    -   The intersection between two filters, F₁ and F₂.

$\quad\begin{matrix}{{F_{1}\bigcap F_{2}} = {\left( {f_{{F\; 1},1},{f_{{F\; 1},2,\ldots \mspace{14mu},}f_{{F\; 1},n}}} \right)\bigcap\left( {f_{{F\; 2},1},{f_{{F\; 2},2,\ldots \mspace{14mu},}f_{{F\; 2},n}}} \right)}} \\{= \left( {{f_{{F\; 1},1}\bigcap f_{{F\; 2},1}},{f_{{F\; 1},2}\bigcap{f_{{F\; 2},2,\ldots \mspace{14mu},}f_{{F\; 1},n}}\bigcap f_{{F\; 2},n}}} \right)} \\{= {\sum\limits_{i = 1}^{n}{< {f_{{F\; 1},i}\bigcap f_{{F\; 2},i}} >}}}\end{matrix}$

where the operation f_(F1,i)∩f_(F2,i)(iε{0, 1, . . . n}) is defined inTable 1.

TABLE 1 Intersection of two filter elements f_(F1, i)∩f_(F2, i) 0 1 * Ø0 0 Ø 0 Ø 1 Ø 1 1 Ø * 0 1 * Ø Ø Ø Ø Ø Ø

If there exists at least one i(iε{0, 1, . . . , n}),f_(F1,i)∩f_(F2,i)=Ø, then F₁∩F₂=F_(Ø).

The classifiers will now be described in terms of the mathematicaltheory.

A classifier can be represented by a Policy Map (PMAP), and the buildingblocks in a PMAP hierarchy at different levels are:

-   -   Filter and the corresponding match outcome (permit/deny)    -   Access Control List (ACL)    -   Class List (CL)    -   Class Map and its match pattern (match all/match any)

Access Control List (ACL)

An ACL is a sequence of ordered pairs (F, X), where F is a filter and Xis the corresponding matching outcome, Xε{permit, deny}. We use thesymbols X₊ for permit and X⁻ for deny.

${ACL} = {\left( {\left( {F_{1},X_{1}} \right),\left( {F_{2},X_{2}} \right),\ldots \mspace{14mu},\left( {F_{n},X_{n}} \right)} \right) = {\sum\limits_{i = 1}^{n}{< \left( {F_{i},X_{i}} \right) >}}}$

A packet matches an ACL if there exists at least one F_(i)(iε{0, 1, . .. , n}) in the ACL, P∩F_(i)≠F_(Ø), The matching outcome is the one forthe matching filter with lowest index, i.e. for all F_(j) where j<i,P∩F_(j)=F_(Ø), the match outcome will be X_(i).

An ACL always ends with an implicit, if not already existing, universalfilter (F_(*)) with a default match outcome (usually is the deny matchoutcome, X⁻), so a packet always matches this one with the outcome (X⁻)if no other matches encountered prior to this.

Class Map (CMAP) and Class List (CL)

A Class List (CL) is a sequence of ACLS,

${CL} = {\left( {{ACL}_{1},{ACL}_{2},\ldots \mspace{14mu},{ACL}_{n}} \right) = {\sum\limits_{i = 1}^{n}{< {ACL}_{i} >}}}$

And a CMAP is an ordered pair of Class List and a corresponding matchoperator (Y):

$\quad\begin{matrix}{{CMAP} = {\left( {{CL},Y} \right) = \left( {\left( {{ACL}_{1},{ACL}_{2},\ldots \mspace{14mu},{ACL}_{n}} \right),Y} \right)}} \\{= \left( {\left( {\sum\limits_{i = 1}^{n}{< {ACL}_{i} >}} \right),Y} \right)}\end{matrix}$

where the match operator Yε{match all, match any}. We use the symbolsY_(all) for match all operator and Y_(any) for match any operator.

For match all operation, a packet matches a Class Map with X₊ (permit)if there exists at least one filter, which is the first matching filterin the ACL, with the match outcome X₊ (permit) in each of the ACLs ofthe Class List. In other words, the packet must match all ACLs in the CLof the CMAP with the match outcome X₊ (permit). If in any ACL, the firstmatching filter has an outcome X⁻ (deny), the match has an outcome X⁻(deny) for the CMAP.

For match any operation, a packet matches a CMAP with X₊ (permit) if andonly if it matches at least one filter, which is the first matchingfilter encountered, with the match outcome X₊ (permit) from at least oneACL in the CL of the CMAP. In other words, the packet can match any ofACLs in the CL of the CMAP with the match outcome X₊ (permit). If in anyACL, the first matching filter has outcome is X⁻ (deny), the match hasan outcome X⁻ (deny) for the CMAP.

Notice that the order of ACLs in a CL is of no importance. So a CMAP canthen be rewritten as:

$\quad\begin{matrix}{{CMAP} = \left( {\left\{ {{ACL}_{1},{ACL}_{2},\ldots \mspace{14mu},{ACL}_{n}} \right\},Y} \right)} \\{= \left( {\left\{ {\sum\limits_{i = 1}^{n}\left\{ {{ACL}_{i} >} \right\}} \right\},Y} \right)}\end{matrix}$

If there exists only one ACL in the CL of a CMAP, the match all andmatch any are equivalent.

Note: In the presentation of the invention, it has been chosen that formatch all operation or match any operation, a packet matches a Class Mapwith X₊ (permit). However, the invented algorithm is not limited topacket matches a Class Map with X₊ (permit), deny is applicable in someapplications.

Policy Map (PMAP)

A policy map (PMAP) is a sequence of pairs (CMAP, Z) where Z is theaction to be taken for the packet if it matches the CMAP with permit.The actions are typically Forward, Drop, Remark DSCP Field in the IPHeader and so on.

$\quad\begin{matrix}{{PMAP} = \left( {\left( {{CMAP}_{1},Z_{1}} \right),\left( {{CMAP}_{2},Z_{2}} \right),\ldots \mspace{14mu},\left( {{CMAP}_{n},Z_{n}} \right)} \right)} \\{= \left( {\sum\limits_{i = 1}^{n}{< \left( {{CMAP}_{i},Z_{i}} \right) >}} \right)}\end{matrix}$

A packet matches a PMAP if and only if it first matches a CMAP_(i), withthe outcome X₊ (permit) and the corresponding action Z_(i) will beperformed for the packet. If a packet does not match any of the CMAPs orall the CMAPs match with outcome X⁻ (deny), a default action Z_(Def) isperformed for the packet. So a PMAP is implicitly equivalent to:

$\quad\begin{matrix}{{PMAP} = \left( {\left( {{CMAP}_{1},Z_{1}} \right),\left( {{CMAP}_{2},Z_{2}} \right),\ldots \mspace{14mu},\left( {{CMAP}_{n},Z_{n}} \right),\left( {{CMAP}_{*},Z_{def}} \right)} \right)} \\{= \left( {{\sum\limits_{i = 1}^{n}{< \left( {{CMAP}_{i},Z_{i}} \right) >}},\left( {{CMAP}_{*},Z_{Def}} \right)} \right)}\end{matrix}$

The universal CMAP, CMAP_(*), contains only one ACL, the universalACL_(*), together with a universal match operator, Y_(*):

-   -   CMAP_(*)=((ACL_(*)), Y_(*))        where ACL_(*)=((F_(*), X⁻)) and Y_(*) means the match operator        can either be match all (Y_(All)), or match any (Y_(Any)).

In general, a PMAP can be expressed by:

${PMAP} = \left( {\sum\limits_{i = 1}^{N}{< \left( {{CMAP}_{i},Z_{i}} \right) >}} \right)$

where the last element is the implicit universal CMAP with defaultaction, (CMAP_(*), Z_(Def)).

As the classifiers have been defined in accordance to the theory ofsets, the invented algorithm for transforming tree-like organizedclassifiers to flat filter structure, a kind of list structure, will nowbe present with reference to FIG. 5.

One important mathematical operation used hereafter is the intersectionbetween two sets, i.e. the intersections between two filters. The filterintersection has been earlier defined as the intersection between twofilters:

$\quad\begin{matrix}{{F_{1}\bigcap F_{2}} = {\left( {f_{{F\; 1},1},{f_{{F\; 1},2,\ldots \mspace{14mu},}f_{{F\; 1},n}}} \right)\bigcap\left( {f_{{F\; 2},1},{f_{{F\; 2},2,\ldots \mspace{14mu},}f_{{F\; 2},n}}} \right)}} \\{= \left( {{f_{{F\; 1},1}\bigcap f_{{F\; 2},1}},{f_{{F\; 1},2}\bigcap{f_{{F\; 2},2,\ldots \mspace{14mu},}f_{{F\; 1},n}}\bigcap f_{{F\; 2},n}}} \right)} \\{= \left( {\sum\limits_{i = 1}^{n}{< {f_{{F\; 1},i}\bigcap f_{{F\; 2},i}} >}} \right)}\end{matrix}$

where f_(F1,i)∩f_(F2,i) is defined in Table 1.

The first section, sub-algorithm A or section A, of the presentinvention is the transformation of a CMAP into flat filter structure,hereafter denoted as F_CMAP.

A Class Map (CMAP) is defined as:

$\quad\begin{matrix}{{CMAP} = \left( {{CL},Y} \right)} \\{= \left( {\left( {{ACL}_{1},{ACL}_{2},\ldots \mspace{14mu},{ACL}_{n}} \right),Y} \right)} \\{= \left( {\left( {\sum\limits_{i = 1}^{n}{< {ACL}_{i} >}} \right),Y} \right)}\end{matrix}$

When a packet matches a CMAP, the result is a match outcome Xε{permit,deny}. So there exists an equivalent ordered sequence of (F_(i), X_(i))which defines the exact same classification rules as in the CMAP.

$\quad\begin{matrix}{{F\_ CMAP} = \left( {\left( {F_{1},X_{1}} \right),\left( {F_{2},X_{2}} \right),\ldots \mspace{14mu},\left( {F_{N},X_{N}} \right)} \right)} \\{= \left( {\sum\limits_{i = 1}^{n}{< \left( {F_{i},X_{i}} \right) >}} \right)}\end{matrix}$

The last element in the ordered sequence is (F_(*), X⁻). As in all theACLs the last element is implicitly (F_(*), X⁻).

It can be seen that the resulting flat CMAP, F_CMAP, has the samestructure as in an ACL. To transform a CMAP to an F_CMAP, twoneighboring ACLs in the CL of the CMAP can be joined into one equivalentACL, and eventually all the ACLs will be transformed into a singleequivalent ACL as the CL.

Two ACLs are as follows:

$\begin{matrix}{{ACL}_{1} = \left( {\left( {F_{1,1},X_{1,1}} \right),\left( {F_{1,2},X_{1,2}} \right),\ldots \mspace{14mu},\left( {F_{1,m},X_{1,m}} \right)} \right)} \\{= \left( {\sum\limits_{i = 1}^{m}{< \left( {F_{1,i},X_{1,i}} \right) >}} \right)}\end{matrix}$ and $\begin{matrix}{{ACL}_{2} = \left( {\left( {F_{2,1},X_{2,1}} \right),\left( {F_{2,2},X_{2,2}} \right),\ldots \mspace{14mu},\left( {F_{2,n},X_{2,n}} \right)} \right)} \\{= \left( {\sum\limits_{i = 1}^{n}{< \left( {F_{2,j},X_{2,j}} \right) >}} \right)}\end{matrix}$

To emphasize the implicit terminating element (F_(*), X⁻) in every ACL,we rewrite the ACLs:

$\begin{matrix}{{ACL}_{1} = \left( {\left( {F_{1,1},X_{1,1}} \right),\left( {F_{1,2},X_{1,2}} \right),\ldots \mspace{14mu},\left( {F_{1,m},X_{1,m}} \right),\left( {F_{*},X_{1},_{-}} \right)} \right)} \\{= \left( {{\sum\limits_{i = 1}^{m}{< \left( {F_{1,i},X_{1,i}} \right) >}},\left( {F_{*},X_{1},_{-}} \right)} \right)}\end{matrix}$ and $\begin{matrix}{{ACL}_{2} = \left( {\left( {F_{2,1},X_{2,1}} \right),\left( {F_{2,2},X_{2,2}} \right),\ldots \mspace{14mu},\left( {F_{2,n},X_{2,n}} \right),\left( {F_{*},X_{2},_{-}} \right)} \right)} \\{= \left( {{\sum\limits_{i = 1}^{n}{< \left( {F_{2,j},X_{2,j}} \right) >}},\left( {F_{*},X_{2},_{-}} \right)} \right)}\end{matrix}$

We rewrite ACL₁ and ACL₂ in a more general form:

${ACL}_{1} = {\sum\limits_{i = 1}^{N_{1}}{< \left( {F_{1,i},X_{1,i}} \right) > {and}}}$${ACL}_{2} = {\sum\limits_{j = 1}^{N_{2}}{< \left( {F_{2,j},X_{2,j}} \right) >}}$

where the last element in both ACLs is the implicit, if not otherwisealready existing, universal filter with match outcome deny.

The algorithm for transforming them into a single one is as follows:

-   1) Step A1: List all the possible search paths with the    corresponding match outcome with the same order as in the two ACLs    by using the intersection operator “∩”, i.e. in the earlier defined    filter intersection operation.    -   (F_(1,1), X_(1,1)),    -   (F_(1,1), ∩F_(2,1), X_(2,1)), (F_(1,1), ∩F_(2,2), X_(2,2)), . .        . , (F_(1,1), ∩F_(2,n), X_(2,n)),    -   (F_(1,1), ∩F_(2,*), X₂,⁻),    -   (F_(1,2), X_(1,2)),    -   (F_(1,2), ∩F_(2,1), X_(2,1)), (F_(1,2), ∩F_(2,2), X_(2,2)), . .        . , (F_(1,2), ∩F_(2,n), X_(2,n)),    -   (F_(1,2), ∩F_(2,*), X₂,⁻),    -   . . . ,    -   (F_(1,1), X_(1,1)),    -   (F_(1,1), ∩F_(2,1), X_(2,1)), (F_(1,1), ∩F_(2,2), X_(2,2)), . .        . , (F_(1,1), ∩F_(2,n), X_(2,n)),    -   (F_(1,1), ∩F_(2,*), X₂,⁻),    -   (F_(1,*), ∩F_(2,1), X_(2,1)), (F_(1,*), ∩F_(2,2), X_(2,1)), . .        . , (F_(1,*), ∩F_(2,n), X_(2,n)),    -   (F_(1,*)∩F_(2,*), X_(2,−))        which can be expressed with the following:

${\sum\limits_{i = 1}^{N_{1}}{< {\left( {F_{1},X_{i}} \right) + \sum\limits_{j = 0}^{N_{2}}} < \left( {{F_{1,i}\bigcap F_{2,j}},X_{j}} \right)}}\operatorname{>>}$

-   2) Step A2: Add only the valid search paths according to the match    operator, Y, in the CMAP with the same order as in step A1, (i.e.    see 1)).    2a) For the search path involving only the first ACL, the path is    valid only when any of the following criteria are fulfilled:    -   Y=Y_(All) and X_(1,i)=X⁻    -   Y=Y_(Any) and X_(1,i)=X₊        2b) For the search path involving both ACLS, the path is valid        only when any of the following criteria are fulfilled:    -   Y=Y_(All) and X_(1,i)=X₊    -   Y=Y_(Any) and X_(1,i)=X⁻

As for any F(F_(i)≠F_(Ø)), F∩F_(2,*)=F, so the last element in theF_CMAP is always (F_(*), X⁻).

The joined ACL, ACL₁₊₂, is:

${ACL}_{1 + 2} = {{\begin{pmatrix}\begin{matrix}{\sum\limits_{i = 1}^{N_{1}}{< {\left( {F_{1,i},X_{1,i}} \right){{{Y = Y_{All}},}}}}} \\{{X_{l,i} = {{X_{-}\mspace{14mu} {or}\mspace{14mu} Y} = Y_{Any}}},}\end{matrix} \\{X_{I,i} = X_{+}}\end{pmatrix} + \sum\limits_{j = 1}^{N_{2}}} < {\left( {F_{j},X_{j}} \right) \left. {{Y = Y_{All}},{X_{l,i} = {{X_{+}\mspace{14mu} {or}\mspace{14mu} Y} = Y_{Any}}},{{X_{l,i} = X_{-}}\operatorname{>>}}} \right)}}$

ACL₁₊₂ can be joined with next ACL in the CL, ACL₃. Therefore:

-   3) Step A3: Repeat steps A1 and A2 till all the ACLs in the CL of    the CMAP is joined in to a single ACL.

By repeating these steps, all the ACLs in the CL of the CMAP can bejoined in to a single one.

$\begin{matrix}{{{F\_ CMAP} = \left( {\left( {F_{1},X_{1}} \right),F_{2},X_{2}} \right)},\ldots \mspace{14mu},\left( {F_{N},X_{N}} \right)} \\{= \left( {\sum\limits_{i = 1}^{N}{< \left( {F_{i},X_{i}} \right) >}} \right)}\end{matrix}$

where the last element is the implicit universal deny filter, (F_(*),X⁻).

-   4) Step A4: Repeat steps A1-A3 for each CMAP till all CMAPS are    F_CMAPs.

The next section, section B or sub-algorithm B, of the invented methodis to transform a PMAP into a flat filter structure, i.e. F_PMAP.

A Policy Map (PMAP) is defined as:

$\begin{matrix}{{PMAP} = \left( {\left( {{CMAP}_{1},Z_{1}} \right),\left( {{CMPAP}_{2},Z_{2}} \right),\ldots \mspace{14mu},\left( {{CMAP}_{m},Z_{m}} \right)} \right)} \\{= \left( {\sum\limits_{i = 1}^{m}{< \left( {{CMAP}_{i},Z_{i}} \right) >}} \right)}\end{matrix}$

where the last element is the implicit terminating universal CMAP_(*)with the default action Z_(Def).

As a CMAP can be represented by an equivalent F_CMAP,

$\begin{matrix}{{F\_ CMAP} = \left( {\left( {F_{1},X_{1}} \right),\left( {F_{2},X_{2}} \right),\ldots \mspace{14mu},\left( {F_{N},X_{N}} \right)} \right.} \\{= \left( {\sum\limits_{i = 1}^{N}{< \left( {F_{i},X_{i}} \right) >}} \right)}\end{matrix}$

where the last element is the universal deny filter, (F_(*), X⁻), we canrewrite the PMAP after converting ACLs in all CMAPs into F_CMAPs as:

$\begin{matrix}{{PMAP} = \begin{pmatrix}{\left( {{F\_ CMAP}_{1},Z_{1}} \right),\left( {{F\_ CMAP}_{2},Z_{2}} \right),\ldots \mspace{14mu},} \\{\left( {{F\_ CMAP}_{n},Z_{n}} \right),\left( {{CMAP}_{*},Z_{Def}} \right)}\end{pmatrix}} \\{{= \left( {\begin{pmatrix}{\left( {F_{1,1}X_{1,1}} \right),\left( {F_{1,2},X_{1,2}} \right),\ldots \mspace{14mu},} \\{\left( {F_{1,{N\; 1}},X_{1,{N\; 1}}} \right),\left( {F_{*},X_{-}} \right)}\end{pmatrix},Z_{1}} \right)},} \\{\left. {\begin{pmatrix}{\left( {F_{2,1}X_{2,1}} \right),\left( {F_{2,2},X_{2,2}} \right),\ldots \mspace{14mu},} \\{\left( {F_{2,{N\; 2}},X_{1,{N\; 2}}} \right),\left( {F_{*},X_{-}} \right)}\end{pmatrix},Z_{2}} \right),{\ldots.}} \\\left. {\left. {\begin{pmatrix}{\left( {F_{n,1},X_{n,1}} \right),\left( {F_{n,2},X_{n,2}} \right),\ldots \mspace{14mu},} \\{\left( {F_{n,{Nn}},X_{n,{Nn}}} \right),\left( {F_{*},X_{-}} \right)}\end{pmatrix},Z_{n}} \right),\left( {{CMAP}_{*}Z_{Def}} \right)} \right)\end{matrix}$

The flat PMAP structure can be defined as

${F\_ PMAP} = {\left( {\left( {F_{1},Z_{1}} \right),\left( {F_{2},Z_{2}} \right),\ldots \mspace{14mu},\left( {F_{M},Z_{M}} \right)} \right) = {\sum\limits_{i = 1}^{M}{< \left( {F_{i},Z_{i}} \right) >}}}$

where the last element is the universal default filter, (F_(*),Z_(Def)).

To transform a PMAP into F_PMAP format, first all the CMAPs aretransformed into F_CMAPS. Then join two neighboring F_CMAPs in the PMAPand transform into the flat structure as defined by the F_PMAP, andcontinue this until the last F_CMAP in the PMAP is transformed.

Two F_CMAPs are as follows:

-   -   F_CMAP₁=((F_(1,1), X_(1,1)), (F_(1,2), X_(1,2)), . . . ,        (F_(N1), X_(N1)), (F_(*), X⁻))        and    -   F_CMAP₂=((F_(2,1), X_(2,1)), (F_(2,2), X_(2,2)), . . . ,        (F_(2,N2), X_(1,N2)), (F_(*), X⁻))        both with the terminating universal filter, F_(*), with match        outcome X⁻ (deny).

To join two neighboring elements in a PMAP,

-   -   (F_CMAP₁, Z₁) and (F_CMAP₂, Z₂)        into the format

$\left( {\overset{M}{\sum\limits_{i = 1}}{< \left( {F_{i},Z_{i}} \right) >}} \right),$

the following steps are used:

-   5) Step B1: First transform F_CMAPs into the flat PMAP format    according to the rules for transforming a single CMAP into a PMAP.    -   F_PMAP₁=((F_(1,1), Z₁), (F_(1,2), Z₁), . . . , (F_(1,N1), Z₁),        (F_(*), Z_(Def)))        and    -   F_PMAP₂=((F_(2,1), Z₂), (F_(2,2), Z₂), . . . , (F_(2,N2), Z₂),        (F_(*), Z_(Def)))

Join two neighboring F_PMAPs, starting with the first F_PMAP as one ofthe F_PMAPs in the first iteration and thereafter using the combinediterated F_PMAP in the following iterations, into a single F_PMAP inaccordance to the following steps:

-   6) Step B2: Find out all the possible combinations by using filter    intersection when joining two neighboring F_PMAPS.    -   (F_(1,1), Z₁),    -   (F_(1,1), ∩F_(2,1), Z₂), (F_(1,1), ∩F_(2,2), Z₂), . . . ,        (F_(1,1), ∩F_(2,N2), Z₂),    -   (F_(1,1), ∩F_(2,*), Z_(Def)),    -   (F_(1,2), Z₁),    -   (F_(1,2), ∩F_(2,1), Z₂), (F_(1,2), ∩F_(2,2), Z₂), . . . ,        (F_(1,2), ∩F_(2,N2), Z₂),    -   (F_(1,2), ∩F_(2,*), Z_(Def)),    -   . . . ,    -   (F_(1,N1), Z₁),    -   (F_(1,N1), ∩F_(2,1), Z₂), (F_(1,N1), ∩F_(2,2), Z₂), . . . ,        (F_(1,N1), ∩F_(2,N2), Z₂),    -   (F_(1,N1), ∩F_(2,*), Z_(Def)),    -   (F_(1,*), Z_(Def))        which can be expressed with the following:

${\sum\limits_{i = 1}^{N_{1}}{< {\left( {F_{1,i},Z_{1}} \right) + \sum\limits_{j = 0}^{N_{2}}} < \left( {{F_{1,i}\bigcap F_{2,j}},Z_{2}} \right)}}\operatorname{>>}$

In this case the implicit universal default filter, (F_(*), Z_(Def)),terminating both F_PMAPs, is included.

-   7) Step B3: Add only the valid elements, (F_(*), Z), to the flat    PMAP, F_PMAP₁₊₂, if the element fulfills one of the following    criteria:    -   For filters involving only the first F_CMAP: Z_(1,i)≠Z_(Def),        iε{1, 2, . . . , N₁}    -   For filters involving both F_CMAPs: F_(1,i)∩F_(2,j)≠F_(Ø), iε{1,        2, . . . , N₁} and jε{1, 2, . . . , N₂}

The last element in the F_PMAP is (F_(1,*), Z_(Def)) as all F_CMAPs endwith the element (F_(*), X⁻).

We can express the combined F_PMAP with:

-   -   For filters involving only the first F_CMAP: Z_(1,i)≠Z_(Def),        iε{1, 2, . . . , N₁}    -   For filters involving both F_CMAPs: F_(1,i)∩F_(2,j)≠F_(Ø), iε{1,        2, . . . , N₁} and jε{1, 2, . . . , N₂}

The combined two neighboring CMAPs can be expressed as:

${{F\_ PMAP}_{1 + 2} = {\sum\limits_{i = 1}^{N_{1}}{< {{\left( {F_{1,i},Z_{1}} \right){\begin{matrix}{Z_{1,j} \neq {Z_{Def} +}} \\{\sum\limits_{j = 1}^{N_{2}}{< \left( {{F_{1,i}\bigcap F_{2,j}},Z_{2}} \right)}}\end{matrix}}F_{1,i}}\bigcap F_{2,j}} \neq F_{\varnothing}}}}\operatorname{>>}$

-   8) Step B4: Repeat steps B2 and B3 until the last CMAP is compiled.

By repeating steps B2 and B3 until the last CMAP is compiled, we get aflat PMAP as:

$\begin{matrix}{{F\_ PMAP} = \left( {\left( {F_{1},Z_{1}} \right),\left( {F_{2},Z_{2}} \right),\ldots \mspace{14mu},\left( {F_{M},Z_{M}} \right)} \right)} \\{= {\sum\limits_{i = 1}^{M}{< \left( {F_{i},Z_{i}} \right) >}}}\end{matrix}$

where the last one is the implicit universal default CMAP, (CMAP_(*),Z_(Def)).

The above presented method is a first embodiment of the invention. Asecond embodiment of the invention is used when compiling a combinationof a firewall ACL and a PMAP to flat filter structure.

A firewall ACL is defined as:

-   -   ACL_(FW)=((F₁, X₁), (F₂, X₂), . . . , (F_(n), X_(n)), (F_(*),        X⁻))        where the default action will be X⁻ (deny) defined in the        terminating universal filter F_(*).

We have an existing PMAP:

-   -   PMAP=((CMAP₁, Z₁), (CMAP₂, Z₂), . . . , (CMAP_(n), Z_(n)),        (CMAP_(*), Z_(Def)))

Firewall rules are usually used prior to the PMAP, so the combinedfirewall ACL with a PMAP can be represented by:

-   -   PMAP_(+FW)=((CMAP_(FW), Z_(FW)), (CMAP₁, Z₁), (CMAP₂, Z₂), . . .        , (CMAP_(n), Z_(n))

The CMAP_(FW) is equivalent to the original firewall ACL and Z_(FW) isthe defined action when a packet matches a filter rule in the ACL, suchas “Drop”. The default action can be “Forward” when firewall ACL is usedalone, and “Continue” when the packet needs to be filtered/classifiedfurther.

The algorithm for compiling a firewall ACL to an equivalent (CMAP_(FW),Z_(FW)) is as follows:

-   -   1) Step A1′: First invert the firewall ACL by inverting the        match outcome in the firewall ACL.    -   ˜ACL_(FW)=((F₁, ˜X₁), (F₂, ˜X₂), . . . , (F_(N), ˜X_(N)),        (F_(*), ˜X⁻))

The inverting operator, ˜, is defined for the match outcome as follows:

-   -   ˜X⁻=X₊    -   ˜X₊=X⁻        i.e. permit is inverted to deny, and deny is inverted to permit.

So the inverted firewall ACL can be rewritten as:

$\begin{matrix}{{\sim{ACL}_{FW}} = \left( {\left( {F_{1},{\sim X_{1}}} \right),\left( {F_{2},{\sim X_{2}}} \right),\ldots \mspace{14mu},\left( {F_{N},{\sim X_{N}}} \right),\left( {F_{*},X_{+}} \right)} \right)} \\{= \left( {\sum\limits_{i = 1}^{N}{< \left( {F_{i},{\sim X_{i}}} \right) >}} \right)}\end{matrix}$

where the last one is the universal permit filter, (F_(*), X₊).

-   -   2) Step A2′: Set the equivalent firewall CMAP to        CMAP_(FW)=(˜ACL_(FW), Y_(*))    -   3) Step A3′: Set the combined firewall ACL and PMAP to    -   PMAP_(+FW)=((CMAP_(FW), Z_(FW)), (CMAP₂, Z₂), (CMAP₃, Z₃), . . .        , (CMAP_(n), Z_(n)), (CMAP_(*), Z_(Def)))

It can be compiled to a flat PMAP, F_PMAP_(+FW), using the describedalgorithm according to section B of the invented compiling algorithm.

${F\_ PMAP}_{+ {FW}} = \left( {\sum\limits_{i = 1}^{M}{< \left( {F_{i},Z_{i}} \right) >}} \right)$

where the last element is the universal default filter, (F_(*),Z_(Def)).

Optimization.

The flat filter structure for a PMAP can be defined as:

F_PMAP=((F₁, Z₁), (F₂, Z₂), . . . , (F_(N), Z_(N)), (F_(*), Z_(Def)))

Following rules to optimize the entries:

Optimization rule A: An element in an F_PMAP, (F_(i), Z_(i)), isredundant if F_(i)

F_(j) where iε{1, 2, . . . , N) and j<i

where F_(i)

F_(j) is true if and only if F_(i)∩F_(j)=F_(i) using the rules definedin Table. 1.

A more general rule is:

Optimization rule B: An element in an F_PMAP, (F_(i), Z_(i)), isredundant if F_(i)

(F₁∪F₂∪ . . . ∪F_(i−1)) where iε{2, . . . , N)

Notice that optimization rules A and B apply to an ACL as well.

The methods presented here is general and can be applied to a singleACL, CMAP, PMAP or a combination of all these.

Further Possibilities.

So far, the action Z_(i) associated with match of a CMAP_(i), in aPolicy Map (PMAP)

$\begin{matrix}{{P\; M\; A\; P} = \begin{pmatrix}{\left( {{CMAP}_{1},Z_{1}} \right),\ldots \mspace{14mu},\left( {{CMAP}_{i},Z_{i}} \right),\ldots \mspace{14mu},} \\{\left( {{CMAP}_{n},Z_{n}} \right),\left( {{CMAP}_{*},Z_{Def}} \right)}\end{pmatrix}} \\{= \left( {\sum\limits_{i = 1}^{n + 1}{< \left( {F_{i},Z_{i}} \right) >}} \right)}\end{matrix}$

has been a single action (e.g. Forward, Drop, Remark DSCP field). Thefilter rule look-up is finished as soon as a match is found in a CMAP,and the corresponding action will be taken.

However, there are occasions when it is suitable to process a packet inseveral steps, e.g. multiple actions being taken for one packet alongthe processing pipeline. One simple example is the combined firewall ACLand Policy Map, where in the firewall ACL, the action to be taken isContinue to PMAP if it is a match with permit and the action is Drop ifthere is a match with deny.

In a Policy Map, the first action may involve a control flag such asZ₁=Remark DSCP field and continue to the next CMAP. The second action Z₂can be defined as Set MPLS tag and Transmit. If a packet matches bothCMAP₁ and CMAP₂, two actions will be taken, first the DSCP field in thepacket is remarked, then based on the new DSCP value, the packet istagged with an MPLS value and transmitted. Hence, the static rule nowbecomes a dynamic one, as the packet header has been changed due to thefirst action taken. Two approaches can be used to solve the problem:

-   -   1) Multiple Compilation and Search Method

As the packet header is changed, it is not possible to use the sameheader information for doing a look-up of filter rules. Thus it isnecessary to do multiple searches with separate CMAPs and thecorresponding action is taken after each search using the most recentupdated header information.

2) Single Compilation and Search Method

If the header information is changed in the packet due to a match in thefirst CMAP, it is possible to replace the filters in CMAP₂ with therelevant filters in CMAP₁. Take the example mentioned above, there aretwo filters, F_(1,1) and F_(1,2) in CMAP₁ that will cause the remarkingin DSCP field in the packet to a certain DSCP value, which is defined ina filter F_(2,1) in CMAP₂. Thus it is possible to replace F_(2,1) withF_(1,1) and F_(1,2) in CMAP₂ in compiling to a single flat PMAP. It iseasily understood that this can easily cause TCAM entry blow-ups and thealgorithm is getting more complicated.

The multiple compilation and search method described in 1) will causesuffering in speed, as the search time is proportional to the number ofmultiple searches, compared to the single search method described in 2).However, the single search method can easily cause blow-ups in number ofentries. Thus there is a trade-off between speed and storage whencomparing method 1) with 2). Generally, method 2) is more complicated toimplement using a TCAM and can easily cause blow-up of entries.

The present invention also relates to a computer program productcomprising a computer readable memory storage and stored computerreadable software code involving program instructions capable ofcontrolling a central processing unit of a computer or a microprocessor.The computer readable memory storage comprises stored computer readablesoftware code involving program instructions that, when read by and/orstored in said computer or microprocessor, are capable of controllingsaid computer or microprocessor to perform any of the steps according toany of the claims 1-9.

Any computer readable memory storage of any kind that is available forsale on the market is possible to use for storing the computer readablesoftware code comprising the invented algorithm.

The present invention is not limited to the above-described preferredembodiments. Various alternatives, modifications and equivalents may beused. Therefore, the above embodiments should not be taken as limitingthe scope of the invention, which is defined by the appending claims.

1-10. (canceled)
 11. A method of compiling command based policy rules toa flat filter list structure for storage in a Content Addressable Memory(CAM), said policy rules being organized in a tree-structure ofclassifiers, said method comprising the steps of: (a) finding all thepossible search paths in the tree structure; and (b) adding to the flatfilter list only the valid search paths according to defined criteria.12. The method according to claim 11, further comprising: (c)transforming a policy map (PMAP) into a flat policy map (F_PMAP),wherein said PMAP is a sequence of pairs (CMAP_(i), Z_(i)), where Z_(i)is the action to be taken for a data packet (P) if it matches the Classmap CMAP_(i) with permit (deny), and each CMAP_(i) is an ordered pair ofa Class list (CL) and a corresponding match operator Y_(i) that eitheris set to MATCH ALL (Y_(all)) or set to MATCH ANY (Y_(any)), and theF_PMAP is a list of ordered pairs (F_(i), Z_(i)), wherein the list ofordered pairs (F_(i), Z_(i)) is the result of steps (a) and (b).
 13. Themethod according to claim 12, wherein step (c) includes: transforming aClass map (CMAP) into a flat Class map (F_CMAP), wherein the CMAPcomprises the Class list (CL), which comprises a sequence of AccessControl Lists (ACL_(i)), wherein each ACL_(i) is a sequence of orderedpairs (F_(i), X_(i)), where F_(i) is a filter and X_(i) is acorresponding matching outcome, wherein X_(i) is either PERMIT or DENY,and the F_CMAP is a second sequence of ordered pairs (F_(j), X_(j)),wherein the second sequence of ordered pairs (F_(j), X_(j)) is theresult of the steps: (d) listing all search paths by a using a filterintersection between two ACLs in accordance with the individual order ofthe ACLs; (e) adding only the valid search paths according to the matchoperator, Y, in the CMAP with the same order as in step (d); and (f)repeating steps (d) and (e) until all the ACLs in the CL of the CMAP arejoined in to a single ACL.
 14. The method according to claim 13, whereinstep (c) includes repeating steps (d)-(f) for each CMAP until all CMAPSare F-CMAPs.
 15. The method according to claim 13, wherein step (e)includes determining valid search paths, said determining stepincluding: for the search path involving only the first ACL, determiningthe path is valid only when any of the following criteria are fulfilled:Y=Y_(All) and X_(1,i)=X⁻; and Y Y_(Any) and X_(1,i)=X₊; for the searchpath involving both ACLs, determining the path is valid only when any ofthe following criteria are fulfilled: Y=Y_(All) and X_(1,i)=X₊; andY=Y_(Any) and X_(1,i)=X⁻.
 16. The method according to claim 13, whereinstep (c) includes the step of first transforming F_CMAPs into a flatPMAP format according to rules for transforming a single CMAP into aPMAP.
 17. The method according to claim 16, wherein step (c) includesthe steps of: (g) determining all possible combinations by using afilter intersection when joining two neighboring F_PMAPs; (h) addingonly the valid elements (F, Z), to the flat PMAP (F_PMAP), if theelement fulfills one of the following criteria: for filters involvingonly the first F_CMAP: Z_(1,i)≠Z_(Def), i

{1, 2, . . . , N₁}; and for filters involving both F_CMAPs:F_(1,i)∩F_(2,J)≠F_(Ø), i

{1, 2, N₁); and j

{1, 2, . . . , N₂}; and (i) repeating steps (g) and (h) until the lastCMAP is compiled.
 18. The method according to claim 13, wherein thetransformation of step (c) involves a combination of a firewall ACL anda PMAP to flat filter structure, and step (c) includes the steps of:inverting the firewall ACL by inverting the match outcome in thefirewall ACL, resulting in ˜ACL_(FW)=((F₁, ˜X₁), (F₂, ˜X₂), . . . ,(F_(N1), ˜X_(N)), (F_(*1), ˜X⁻)); setting the equivalent firewall CMAPto CMAP_(FW)=(˜ACL_(FW), Y_(*)); and setting the combined firewall ACLand PMAP to PMAP_(+FW)=((CMAP_(FW), Z_(FW)), (CMAP₂, Z₂), (CMAP₃, Z₃), .. . , (CMAP_(N), Z_(N)), (CMAP_(*), Z_(Def))).
 19. The method accordingto claim 11, wherein the Content Addressed Memory (CAM) is a TernaryContent Addressed Memory (TCAM).
 20. A computer program loaded on amemory of a processor, said computer program comprising software codeportions for performing the following steps when the computer program isrun on the processor: compiling command based policy rules to a flatfilter list structure for storage in a Content Addressable Memory (CAM),said policy rules being organized in a tree-structure of classifiers,said compiling step including the steps of: finding all the possiblesearch paths in the tree structure; and adding to the flat filter listonly the valid search paths according to defined criteria.